Nixpkgs security tracker

Untriaged

Permalink CVE-2026-33544

7.7 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 2 weeks, 1 day ago

Tinyauth has OAuth account confusion via shared mutable state on singleton service instances

Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity. This issue has been patched in version 5.0.5.

References

https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-9q5m-jfc4-wc92 x_refsource_CONFIRM
https://github.com/steveiliop56/tinyauth/commit/f26c2171610d5c2dfbba2edb6ccd39490e349803 x_refsource_MISC
https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.5 x_refsource_MISC

Affected products

tinyauth

==< 5.0.5

Matching in nixpkgs

pkgs.tinyauth

Simple authentication middleware for web apps

nixos-unstable 5.0.4
- nixpkgs-unstable 5.0.4
- nixos-unstable-small 5.0.4

Package maintainers

@shaunren Shaun Ren

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.tinyauth

Package maintainers